Google Apps

Presentation

Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here: http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html.

To work with LemonLDAP::NG it requires:

Configuration

Google Apps

Note: this part is based on SimpleSAMLPHP documentation: http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps.

As administrator, go in Google Apps control panel and clik on Advanced tools:

googleapps-menu.png

Then select "Set up single sign-on (SSO)":

googleapps-sso.png

Now configure all SAML parameters:

googleapps-ssoconfig.png For the certificate, you can build id from the signing private key registered in Manager. Select the key, and export it (button Download this file):

googleapps-export-priv-key.png

After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk.

The use openssl to generate an auto-signed certificate:

$ openssl req -new -key lemonldap-ng-priv.key -out cert.csr
$ openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem

You can the upload the certificate (cert.pem) on Google Apps.

LemonLDAP::NG

You should have configured LemonLDAP::NG as an SAML Identity Provider, following this documentation.

Now we will add Google Apps as a new SAML Service Provider:
  1. In Manager, click on SAML service providers and the button New metadatas.
  2. Set GoogleApps as Service Provider name.
  3. Set Email in Options > *Authentication Response* > Default NameID format
  4. Disable all signature flags in Options > *Signature*, except Sign SSO message which should be to On
  5. Select Metadata, and unprotect the field to paste the following value:
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/*mydomain.org*/acs" index="1" />
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
  </SPSSODescriptor>
</md:EntityDescriptor>

You just have to change mydomain.org into your Google Apps domain.

Then click on Apply, and Save to save the whole configuration.